Use actual GitHub secrets for PostgreSQL and JWT instead of random generation

- Updated GitHub workflow to use secrets.POSTGRES_PASSWORD and secrets.JWT_SECRET
- Updated local deployment script to require same environment variables
- Fixed PostgreSQL database name configuration
- Set proper placeholders in values.yaml since they're overridden by --set-string

Author: yassinsws

.github/workflows/deploy-kubernetes.yml

@@ -84,13 +84,17 @@ jobs:
             echo "❌ OPEN_WEBUI_API_KEY_GEN secret is not set"
             exit 1
           fi
+          if [ -z "${{ secrets.POSTGRES_PASSWORD }}" ]; then
+            echo "❌ POSTGRES_PASSWORD secret is not set"
+            exit 1
+          fi
+          if [ -z "${{ secrets.JWT_SECRET }}" ]; then
+            echo "❌ JWT_SECRET secret is not set"
+            exit 1
+          fi
           echo "✅ All required secrets are present"
 
-      - name: Generate JWT Secret
-        id: jwt-secret
-        run: |
-          JWT_SECRET=$(openssl rand -base64 64)
-          echo "jwt_secret=${JWT_SECRET}" >> $GITHUB_OUTPUT
+# JWT Secret is now provided via GitHub secrets
 
       - name: Deploy with Helm
         env:
@@ -107,8 +111,8 @@ jobs:
             helm upgrade studymate ./infra/helm -n studymate \
               --set ingress.host="${DOMAIN}" \
               --set client.image.tag="k8s-latest" \
-              --set-string secrets.postgres.data.password="$(openssl rand -base64 32)" \
-              --set-string secrets.auth.data.jwtSecret="${{ steps.jwt-secret.outputs.jwt_secret }}" \
+              --set-string secrets.postgres.data.password="${{ secrets.POSTGRES_PASSWORD }}" \
+              --set-string secrets.auth.data.jwtSecret="${{ secrets.JWT_SECRET }}" \
               --set-string secrets.genai.data.openWebUiApiKeyChat="${OPEN_WEBUI_API_KEY_CHAT}" \
               --set-string secrets.genai.data.openWebUiApiKeyGen="${OPEN_WEBUI_API_KEY_GEN}" \
               --set-string secrets.genai.data.langsmithApiKey="${LANGSMITH_API_KEY}" \
@@ -119,8 +123,8 @@ jobs:
             helm install studymate ./infra/helm -n studymate \
               --set ingress.host="${DOMAIN}" \
               --set client.image.tag="k8s-latest" \
-              --set-string secrets.postgres.data.password="$(openssl rand -base64 32)" \
-              --set-string secrets.auth.data.jwtSecret="${{ steps.jwt-secret.outputs.jwt_secret }}" \
+              --set-string secrets.postgres.data.password="${{ secrets.POSTGRES_PASSWORD }}" \
+              --set-string secrets.auth.data.jwtSecret="${{ secrets.JWT_SECRET }}" \
               --set-string secrets.genai.data.openWebUiApiKeyChat="${OPEN_WEBUI_API_KEY_CHAT}" \
               --set-string secrets.genai.data.openWebUiApiKeyGen="${OPEN_WEBUI_API_KEY_GEN}" \
               --set-string secrets.genai.data.langsmithApiKey="${LANGSMITH_API_KEY}" \

deploy-local.sh

@@ -57,6 +57,18 @@ if [ -z "$OPEN_WEBUI_API_KEY_GEN" ]; then
     exit 1
 fi
 
+if [ -z "$POSTGRES_PASSWORD" ]; then
+    print_error "POSTGRES_PASSWORD is not set"
+    echo "Set it with: export POSTGRES_PASSWORD='your-postgres-password'"
+    exit 1
+fi
+
+if [ -z "$JWT_SECRET" ]; then
+    print_error "JWT_SECRET is not set"
+    echo "Set it with: export JWT_SECRET='your-jwt-secret'"
+    exit 1
+fi
+
 print_success "All required secrets are present"
 
 # Check prerequisites
@@ -121,6 +133,8 @@ print_status "Domain: $DOMAIN"
 helm upgrade --install "$RELEASE_NAME" "$CHART_PATH" \
     --namespace "$NAMESPACE" \
     --create-namespace \
+    --set-string secrets.postgres.data.password="$POSTGRES_PASSWORD" \
+    --set-string secrets.auth.data.jwtSecret="$JWT_SECRET" \
     --set-string secrets.genai.data.openWebUiApiKeyChat="$OPEN_WEBUI_API_KEY_CHAT" \
     --set-string secrets.genai.data.openWebUiApiKeyGen="$OPEN_WEBUI_API_KEY_GEN" \
     --set-string secrets.genai.data.langsmithApiKey="$LANGSMITH_API_KEY" \

infra/helm/values.yaml

@@ -186,7 +186,7 @@ postgres:
           name: postgres-secret
           key: password
     - name: POSTGRES_DB
-      value: mydb
+      value: studymate
 
 weaviate:
   image:
@@ -250,15 +250,15 @@ secrets:
     existingSecret: ""  # Name of existing secret to use instead of creating new one
     data:
       username: postgres
-      password: "securePostgresPassword123!"  # HARDCODED for development
+      password: "placeholder-postgres-password"  # Overridden by GitHub secret via --set-string
 
   # Auth service secrets (shared JWT secret)
   auth:
     create: true
     name: auth-secret
     existingSecret: ""  # Name of existing secret to use instead of creating new one
     data:
-      jwtSecret: "mySecretKey1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef"  # HARDCODED for development
+      jwtSecret: "placeholder-jwt-secret"  # Overridden by GitHub secret via --set-string
 
   genai:
     create: true